Microsoft: This bug in TikTok’s Android app may have allowed one-click account hijacking

A man using his mobile phone on the street, bokeh

Photo: Getty Images / iStockphoto

Microsoft has detailed a very serious flaw in its TikTok Android app that could have allowed attackers to hijack an account when users clicked on a link.

Thankfully, developers at TikTok’s parent company ByteDance quickly fixed the bug after Microsoft researchers reported the issue in February through a bug bounty program, according to Dimitrios Valsamaras, a researcher with the Microsoft 365 Defender Research Team.

The id is now set to the error CVE-2022-28799And while it is being fixed, Microsoft is urging all Android TikTok users to update the app to the latest version.

We see: These are the biggest cyber security threats. Make sure you don’t ignore them

It’s a critical flaw in the app’s exposed JavaScript interface that can be exploited via the WebView component of the TikTok Android app, which has been downloaded 1.5 billion times from the Google Play Store. WebView It is an Android component that allows Android applications, written in the Java programming language and Java-compatible Kotlin, to display web content.

It reads the MITER entry for CVE-2022-28799.

Like Valsamaras Blog NotesThere are two versions of the TikTok Android app. One (with package name for East and Southeast Asia and else (with package name com.zhiliaoapp.musically) for other regions. Both contain the vulnerability.

“We applaud the efficient and professional decision from the TikTok security team. We encourage TikTok users to ensure they are using the latest version of the app,” Valsamaras wrote.

The vulnerability stems from the way the developers of TikTok implemented JavaScript interfaces for the application in WebView. The interface can provide a “bridge function”, whereby JavaScript code in a web page calls Java methods specific to a specific class in the application.

Valsamaras states that “Loading untrusted web content to a WebView with application-level objects accessible via JavaScript code makes the application vulnerable to JavaScript interface input, which can lead to data leaks, data corruption, or, in some cases, arbitrary code execution” .

However, the actual vulnerability lies in how the TikTok app handles a certain “deep link” on Android, according to Valsamaras. Developers can use deep links to link to a chosen component within the app. When users click a deep link, the Android package manager checks all installed apps to see which ones can respond to the deep link and then directs it to the advertised company as its handler, Valsamaras notes.

TikTok’s implementation of JavaScript interfaces in the app determined the impact of the vulnerability.

“While reviewing the application’s handling of a specific deep link, we discovered several issues that, when linked together, could be used to force the application to load an arbitrary URL into the application’s WebView,” Valsamaras wrote.

We see: What exactly is cyber security? And why is this important?

Microsoft found “70+ exposed ways” when examining functions accessible through JavaScript code in web pages loaded on a WebView. The combination of the vulnerability and exposed methods can give attackers additional functionality to view and alter users’ private data.

By invoking these methods, an attacker can grab a user’s auth tokens by running a request to a controlled server and recording the cookie and request headers. An attacker can also recover or modify a user’s TikTok account data, such as private videos and profile settings.

In short, by controlling any of the methods capable of executing authenticated HTTP requests, a malicious actor could hack a TikTok user account,” Valsamaras wrote.

Microsoft more broadly believes that developers using JavaScript interfaces are a bad idea and pose a significant risk because hacking that interface could allow attackers to execute code with the application ID and its privileges. Microsoft has previously detailed flaws Because of the JavaScript interfaces in many popular Android applications.

Microsoft recommends that developers use a “list of authorized trusted domains to be uploaded to an application’s WebView to prevent malicious or untrusted web content from being loaded.”

Google has too publish page For Android application developers to address vulnerabilities in JavaScript interface injection.

Leave a Comment